Malwarebytes Identifies New Anubi Ransomware

A new ransomware called Anubi was discovered by Malwarebytes security researcher S!Ri that appends the .[anubi@cock.li].anubi extension to encrypted files. While not much is known about how this ransomware is distributed, as it is in the wild I thought I would provide a brief summary of the ransomware.

When the Anubi ransomware infects a computer it will first set an autorun in the Windows Registry so that it starts automatically when the user logs in. It will then begin scanning the attached hard drives for data files, including executables, and encrypt them.

When encrypting files it will append the .[email_address].anubi extension to the encrypted file’s name. For example, a file named test.jpg, would be named using the current variant as test.jpg.[anubi@cock.li].anubi. During this process it will not encrypt files on unmapped network shares, but will on mapped network shares.

A folder of encrypted files can be seen below.

When it has finished encrypting a computer, a victim will find ransom notes named __READ_ME__.txt throughout the computer. These ransom notes will contain instructions to contact the ransomware developer at anubi@cock.li and send them the unique ID contained at the bottom of the note in order to get payment instructions.

The good thing about this ransomware is that it is incredibly slow. Due to this, there is a much greater chance that a victim will detect that the ransomware is running and terminate the process before it can finish encrypting the entire computer.